AWSTemplateFormatVersion: '2010-09-09' Description: >- This template creates 1 Windows Server Active Directory Certificate Services Enterprise CA into a subnet inside a VPC. **WARNING** This template creates Amazon EC2 Windows instance and related resources. You will be billed for the AWS resources used if you create a stack from this template. (qs-1rteoo9ij) Metadata: cfn-lint: config: ignore_checks: - W9006 - E9101 AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Network Configuration Parameters: - VPCCIDR - VPCID - EntCaServerSubnet - DomainMembersSG - Label: default: Amazon EC2 Configuration Parameters: - EntCaServerInstanceType - EntCaDataDriveSizeGiB - EbsEncryptionKmsKeyId - KeyPairName - AMI - Label: default: Microsoft Active Directory Domain Services Configuration Parameters: - DirectoryType - DomainDNSName - DomainNetBIOSName - DomainController1IP - DomainController2IP - AdministratorSecret - Label: default: Microsoft Active Directory Certificate Services Configuration Parameters: - EntCaServerNetBIOSName - EntCaKeyLength - EntCaHashAlgorithm - EntCaValidityPeriodUnits - UseS3ForCRL - S3CRLBucketName - EnableAdvancedAudtingandMetrics - Label: default: AWS Quick Start Configuration Parameters: - QSS3BucketName - QSS3KeyPrefix - QSS3BucketRegion ParameterLabels: AMI: default: AMI ID passed in from parent stack AdministratorSecret: default: Secret ARN Containing CA Install Credentials DirectoryType: default: Active Directory Domain Services Type DomainController1IP: default: IP used for DNS (Must be accessible) DomainController2IP: default: IP used for DNS (Must be accessible) DomainDNSName: default: Domain DNS Name DomainMembersSG: default: Domain Members Security Group ID DomainNetBIOSName: default: Domain NetBIOS Name EbsEncryptionKmsKeyId: default: KMS Key for EBS Encryption EnableAdvancedAudtingandMetrics: default: Advanced Auditing and Metrics EntCaDataDriveSizeGiB: default: Enterprise Root CA Data Drive Size EntCaHashAlgorithm: default: Enterprise Root CA Hash Algorithm EntCaKeyLength: default: Enterprise Root CA Key Length EntCaServerInstanceType: default: Enterprise Root CA Instance Type EntCaServerNetBIOSName: default: Enterprise Root CA NetBIOS Name EntCaServerSubnet: default: Enterprise Root CA Subnet ID EntCaValidityPeriodUnits: default: Enterprise Root CA Certificate Validity Period in Years KeyPairName: default: Key Pair Name QSS3BucketName: default: Quick Start S3 Bucket Name QSS3BucketRegion: default: Quick Start S3 Bucket Region QSS3KeyPrefix: default: Quick Start S3 Key Prefix S3CRLBucketName: default: CA CRL S3 Bucket Name UseS3ForCRL: default: Use S3 for CA CRL Location VPCCIDR: default: VPC CIDR VPCID: default: VPC ID Parameters: AMI: Default: /aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base Description: AMI ID passed in from parent stack Type: AWS::SSM::Parameter::Value AdministratorSecret: Description: ARN for the Enterprise Root CA Install Credentials Secret used to to install the CA (Must be a member of Enterpise Admins) Type: String DirectoryType: AllowedValues: - AWSManaged - SelfManaged Default: AWSManaged Description: Type of Active Directory Enterprise Root CA will be integrated with, AWS Managed Microsoft AD or Self Managed AD Type: String DomainController1IP: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$ Description: IP of DNS server that can resolve domain (Must be accessible) Type: String DomainController2IP: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$ Description: IP of DNS server that can resolve domain (Must be accessible) Type: String DomainDNSName: AllowedPattern: '[a-zA-Z0-9\-]+\..+' Description: Fully qualified domain name (FQDN) of the forest root domain e.g. example.com MaxLength: '255' MinLength: '2' Type: String DomainMembersSG: Description: Security Group ID for Domain Members Security Group. Type: AWS::EC2::SecurityGroup::Id DomainNetBIOSName: AllowedPattern: '[a-zA-Z0-9\-]+' Description: NetBIOS name of the domain (up to 15 characters) for users of earlier versions of Windows e.g. EXAMPLE MaxLength: '15' MinLength: '1' Type: String EbsEncryptionKmsKeyId: Default: alias/aws/ebs Description: The identifier of the AWS KMS key to use for Amazon EBS encryption. You can specify the KMS key using any of the following; Key ID, Key alias, Key ARN, Alias ARN Type: String EnableAdvancedAudtingandMetrics: Description: Enable advanced auditing and metrics and upload them to CloudWatch using the Amazon Kinesis Agent for Microsoft Windows AllowedValues: - 'true' - 'false' Type: String Default: 'false' EntCaDataDriveSizeGiB: Default: '2' Description: Size of the Data Drive in GiB for the Enterprise Root CA Type: Number EntCaHashAlgorithm: AllowedValues: - SHA256 - SHA384 - SHA512 Default: SHA256 Description: Enterprise Root CA Hash Algorithm for Signing Certificates Type: String EntCaKeyLength: AllowedValues: - '2048' - '4096' Default: '2048' Description: Enterprise Root CA Cryptographic Provider Key Length Type: String EntCaServerInstanceType: AllowedValues: - t3.small - t3.medium - t3.large - t3.xlarge - t3.2xlarge - m5.large - m5.xlarge - m5.2xlarge - m5.4xlarge Default: t3.medium Description: Amazon EC2 instance type for the Enterprise Root CA instance Type: String EntCaServerNetBIOSName: AllowedPattern: '[a-zA-Z0-9\-]+' Default: ENTCA1 Description: NetBIOS name of the Enterprise Root CA server (up to 15 characters) MaxLength: '15' MinLength: '1' Type: String EntCaServerSubnet: Description: ID of the Enterprise Root CA subnet (e.g., subnet-a0246dcd) Type: AWS::EC2::Subnet::Id EntCaValidityPeriodUnits: Default: '5' Description: Validity Period in Years Type: String KeyPairName: Description: Name of the key pair that you will use to securely connect to your EC2 instance after it launches. after it launches Type: AWS::EC2::KeyPair::KeyName QSS3BucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Description: S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Type: String QSS3BucketRegion: Default: us-east-1 Description: The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value Type: String QSS3KeyPrefix: AllowedPattern: ^[0-9a-zA-Z-/]*$ ConstraintDescription: Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/) Default: quickstart-microsoft-pki/ Description: S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/) Type: String S3CRLBucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ Default: examplebucket Description: S3 bucket name for Enterprise Root CA CRL storage. Bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-) Type: String UseS3ForCRL: AllowedValues: - 'Yes' - 'No' Default: 'No' Description: Store Enterprise Root CA CRL in an S3 bucket Type: String VPCCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/16 Description: CIDR Block for the VPC Type: String VPCID: Description: ID of the VPC (e.g., vpc-0343606e) Type: AWS::EC2::VPC::Id Rules: SubnetsInVPC: Assertions: - Assert: !EachMemberIn - !ValueOfAll - AWS::EC2::Subnet::Id - VpcId - !RefAll 'AWS::EC2::VPC::Id' AssertDescription: All subnets must in the VPC S3CRLBucketNameValidation: RuleCondition: !Equals - !Ref UseS3ForCRL - 'Yes' Assertions: - AssertDescription: CRL BucketName cannot must be valid BucketName Assert: !Not [!Equals [!Ref S3CRLBucketName, 'examplebucket']] Conditions: UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] UsingS3BucketForCrl: !Equals [!Ref UseS3ForCRL, 'Yes'] UsingLocalIisCrl: !Equals [!Ref UseS3ForCRL, 'No'] Resources: InstanceRole: Type: AWS::IAM::Role Metadata: cfn_nag: rules_to_suppress: - id: W11 reason: "* is required" - id: W27 reason: "Standard Amazon practice" - id: F1000 reason: "Standard Amazon practice" Properties: Policies: - PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: s3:GetObject Resource: - !Sub arn:${AWS::Partition}:s3:::aws-ssm-${AWS::Region}/* - !Sub arn:${AWS::Partition}:s3:::aws-windows-downloads-${AWS::Region}/* - !Sub arn:${AWS::Partition}:s3:::amazon-ssm-${AWS::Region}/* - !Sub arn:${AWS::Partition}:s3:::amazon-ssm-packages-${AWS::Region}/* - !Sub arn:${AWS::Partition}:s3:::${AWS::Region}-birdwatcher-prod/* - !Sub arn:${AWS::Partition}:s3:::patch-baseline-snapshot-${AWS::Region}/* - !Sub arn:${AWS::Partition}:s3:::aws-ssm-distributor-file-${AWS::Region}/* - !Sub arn:${AWS::Partition}:s3:::aws-ssm-document-attachments-${AWS::Region}/* PolicyName: SSMAgent - PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: s3:ListBucket Resource: !Sub - 'arn:${AWS::Partition}:s3:::${S3Bucket}' - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] - Effect: Allow Action: s3:GetObject Resource: !Sub - 'arn:${AWS::Partition}:s3:::${S3Bucket}/${QSS3KeyPrefix}*' - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] - Effect: Allow Action: ssm:StartAutomationExecution Resource: !Sub arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:automation-definition/${AWSQuickstartECA}:$DEFAULT - Effect: Allow Action: ssm:SendCommand Resource: - !Sub arn:${AWS::Partition}:ssm:${AWS::Region}:*:document/AWS-RunRemoteScript - !Sub arn:${AWS::Partition}:ssm:${AWS::Region}:*:document/AWS-RunPowerShellScript - Effect: Allow Action: ssm:SendCommand Resource: !Sub arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/* Condition: StringEquals: 'ssm:ResourceTag/aws:cloudformation:stack-name': !Ref AWS::StackName - Sid: ReadOperations Effect: Allow Action: - ec2:DescribeInstances - ssm:DescribeInstanceInformation - ssm:ListCommands - ssm:ListCommandInvocations Resource: '*' - Effect: Allow Action: cloudformation:SignalResource Resource: !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*' PolicyName: AWS-Quick-Start-Policy - PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - secretsmanager:GetSecretValue - secretsmanager:DescribeSecret Resource: - !Ref AdministratorSecret PolicyName: AWS-Quick-Start-Secret-Policy Path: / ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore' - !Sub 'arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy' AssumeRolePolicyDocument: Statement: - Action: - sts:AssumeRole Principal: Service: - ec2.amazonaws.com Effect: Allow Version: '2012-10-17' InstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Roles: - !Ref InstanceRole Path: / S3CrlRolePolicy: Type: AWS::IAM::Policy Condition: UsingS3BucketForCrl Properties: PolicyName: S3-CRL-PublishRole PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - s3:GetBucketLocation - s3:ListBucket Resource: !Sub 'arn:${AWS::Partition}:s3:::${S3CRLBucketName}' - Effect: Allow Action: - s3:PutObject - s3:GetObject - s3:PutObjectAcl - s3:DeleteObject Resource: !Sub 'arn:${AWS::Partition}:s3:::${S3CRLBucketName}/*' Roles: - !Ref InstanceRole AWSQuickstartECA: Type: AWS::SSM::Document Properties: DocumentType: Automation Content: schemaVersion: '0.3' description: Deploy Single Tier PKI with SSM Automation parameters: AdministratorSecret: description: ARN for the CA Install Credentials Secret used to to install the CA (Must be a member of Enterpise Admins) type: String DirectoryType: description: Type of Active Directory CA will be integrated with type: String DomainDNSName: description: Fully qualified domain name (FQDN) of the forest root domain e.g. example.com type: String DomainNetBIOSName: description: NetBIOS name of the domain (up to 15 characters) for users of earlier versions of Windows e.g. EXAMPLE type: String DomainController1IP: description: IP of DNS server that can resolve domain (Must be accessible) type: String DomainController2IP: description: IP of DNS server that can resolve domain (Must be accessible) type: String EnableAdvancedAudtingandMetrics: description: Enable advanced auditing and metrics type: String EntCaHashAlgorithm: description: Enterprise Root CA Hash Algorithm for Siging Certificates type: String EntCaKeyLength: description: Enterprise Root CA Cryptographic Provider Key Length type: String EntCaValidityPeriodUnits: description: Validity Period in Years type: String EntCaServerNetBIOSName: description: NetBIOS name of the Enterprise Root or Subordinate CA server (up to 15 characters) type: String QSS3BucketName: description: S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). type: String QSS3BucketRegion: description: The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value. type: String QSS3KeyPrefix: description: S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). type: String S3CRLBucketName: description: S3 bucket name for CA CRL storage. type: String StackName: description: Stack Name Input for cfn resource signal type: String URLSuffix: description: AWS URL suffix type: String UseS3ForCRL: description: Store CA CRL(s) in an S3 bucket type: String VPCCIDR: description: "CIDR Block for the VPC" type: String mainSteps: - name: entCAInstanceId action: aws:executeAwsApi onFailure: step:signalfailure inputs: Service: ec2 Api: DescribeInstances Filters: - Name: tag:Name Values: ['{{EntCaServerNetBIOSName}}'] - Name: tag:aws:cloudformation:stack-name Values: ['{{StackName}}'] - Name: instance-state-name Values: [running] outputs: - Name: InstanceId Selector: $.Reservations[0].Instances[0].InstanceId Type: String nextStep: intializeInstance - name: intializeInstance action: aws:runCommand inputs: DocumentName: AWS-RunPowerShellScript InstanceIds: - '{{entCAInstanceId.InstanceId}}' Parameters: commands: |- [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $S3BucketName = '{{QSS3BucketName}}' $S3KeyPrefix = '{{QSS3KeyPrefix}}' $S3BucketRegion = '{{QSS3BucketRegion}}' $CustomModules = @( 'Module-Pki.psd1', 'Module-Pki.psm1' ) $Modules = @( @{ Name = 'NetworkingDsc' Version = '8.2.0' }, @{ Name = 'ComputerManagementDsc' Version = '8.5.0' }, @{ Name = 'AuditPolicyDsc' Version = '1.4.0.0' } ) Write-Output 'Creating AWSQuickstart Directory' Try { $Null = New-Item -Path 'C:\AWSQuickstart\Module-Pki' -ItemType 'Directory' -ErrorAction Stop } Catch [System.Exception] { Write-Output "Failed to create AWSQuickstart directory $_" Exit 1 } $S3KeyPrefix = $S3KeyPrefix.Substring(0,$S3KeyPrefix.Length -1) Write-Output 'Downloading Pki PowerShell Module' Foreach ($CustomModule in $CustomModules) { Try { $Null = Read-S3Object -BucketName $S3BucketName -Key "$($S3KeyPrefix)/scripts/Modules/Module-Pki/$CustomModule" -File "C:\AWSQuickstart\Module-Pki\$CustomModule" -Region $S3BucketRegion } Catch [System.Exception] { Write-Output "Failed to read and download $CustomModule.Name from S3 $_" Exit 1 } } Write-Output 'Installing NuGet Package Provider' Try { $Null = Install-PackageProvider -Name 'NuGet' -MinimumVersion '2.8.5' -Force -ErrorAction Stop } Catch [System.Exception] { Write-Output "Failed to install NuGet Package Provider $_" Exit 1 } Write-Output 'Setting PSGallery Respository to trusted' Try { Set-PSRepository -Name 'PSGallery' -InstallationPolicy 'Trusted' -ErrorAction Stop } Catch [System.Exception] { Write-Output "Failed to set PSGallery Respository to trusted $_" Exit 1 } Write-Output 'Installing the needed Powershell DSC modules for this Quick Start' Foreach ($Module in $Modules) { Try { Install-Module -Name $Module.Name -RequiredVersion $Module.Version -ErrorAction Stop } Catch [System.Exception] { Write-Output "Failed to Import Modules $_" Exit 1 } } CloudWatchOutputConfig: CloudWatchOutputEnabled: true CloudWatchLogGroupName: !Sub /aws/Quick_Start/${AWS::StackName} nextStep: configureInstance - name: configureInstance action: aws:runCommand onFailure: step:signalfailure inputs: DocumentName: AWS-RunPowerShellScript InstanceIds: - '{{entCAInstanceId.InstanceId}}' Parameters: commands: |- Try { Import-Module -Name 'C:\AWSQuickstart\Module-Pki\Module-Pki.psm1' -Force } Catch [System.Exception] { Write-Output "Failed to import Pki PS Module $_" Exit 1 } New-VolumeFromRawDisk Invoke-PreConfig Invoke-LcmConfig CloudWatchOutputConfig: CloudWatchOutputEnabled: true CloudWatchLogGroupName: !Sub /aws/Quick_Start/${AWS::StackName} nextStep: configureMof - name: configureMof action: aws:runCommand onFailure: step:signalfailure inputs: DocumentName: AWS-RunPowerShellScript InstanceIds: - '{{entCAInstanceId.InstanceId}}' Parameters: commands: |- Try { Import-Module -Name 'C:\AWSQuickstart\Module-Pki\Module-Pki.psm1' -Force } Catch [System.Exception] { Write-Output "Failed to import Pki PS Module $_" Exit 1 } $EniConfig = Get-EniConfig $Secret = Get-SecretInfo -Domain '{{DomainNetBIOSName}}' -SecretArn '{{AdministratorSecret}}' Set-DscConfiguration -CaType Enterprise -Credentials $Secret.Credentials -DomainController1IP '{{DomainController1IP}}' -DomainController2IP '{{DomainController2IP}}' -DomainDNSName '{{DomainDNSName}}' -GatewayAddress $EniConfig.GatewayAddress -InstanceNetBIOSName '{{EntCaServerNetBIOSName}}' -IpAddress $EniConfig.IpAddress -MacAddress $EniConfig.MacAddress -UseS3ForCRL '{{UseS3ForCRL}}' CloudWatchOutputConfig: CloudWatchOutputEnabled: true CloudWatchLogGroupName: !Sub /aws/Quick_Start/${AWS::StackName} nextStep: runMof - name: runMof action: aws:runCommand onFailure: step:signalfailure inputs: DocumentName: AWS-RunPowerShellScript InstanceIds: - '{{entCAInstanceId.InstanceId}}' CloudWatchOutputConfig: CloudWatchOutputEnabled: true CloudWatchLogGroupName: !Sub /aws/Quick_Start/${AWS::StackName} Parameters: commands: |- Try { Import-Module -Name 'C:\AWSQuickstart\Module-Pki\Module-Pki.psm1' -Force } Catch [System.Exception] { Write-Output "Failed to import Pki PS Module $_" Exit 1 } Start-DscConfiguration 'C:\AWSQuickstart\ConfigInstance' -Wait -Verbose -Force Invoke-DscStatusCheck nextStep: InstallEntCa - name: InstallEntCa action: aws:runCommand onFailure: step:signalfailure inputs: DocumentName: AWS-RunPowerShellScript InstanceIds: - '{{entCAInstanceId.InstanceId}}' CloudWatchOutputConfig: CloudWatchOutputEnabled: true CloudWatchLogGroupName: !Sub /aws/Quick_Start/${AWS::StackName} Parameters: commands: |- Try { Import-Module -Name 'C:\AWSQuickstart\Module-Pki\Module-Pki.psm1' -Force } Catch [System.Exception] { Write-Output "Failed to import Pki PS Module $_" Exit 1 } $Secret = Get-SecretInfo -Domain '{{DomainNetBIOSName}}' -SecretArn '{{AdministratorSecret}}' Invoke-EnterpriseCaConfig -Credentials $Secret.Credentials -DirectoryType '{{DirectoryType}}' -EntCaCommonName '{{EntCaServerNetBIOSName}}' -EntCaHashAlgorithm '{{EntCaHashAlgorithm}}' -EntCaKeyLength '{{EntCaKeyLength}}' -EntCaValidityPeriodUnits '{{EntCaValidityPeriodUnits}}' -S3CRLBucketName '{{S3CRLBucketName}}' -UseS3ForCRL '{{UseS3ForCRL}}' If ('{{EnableAdvancedAudtingandMetrics}}' -eq 'true') { Set-AuditDscConfiguration Set-LogsAndMetricsCollection -Stackname '{{StackName}}' } Invoke-Cleanup -VPCCIDR '{{VPCCIDR}}' - name: CFNSignalEnd action: aws:branch inputs: Choices: - NextStep: signalsuccess Not: Variable: '{{StackName}}' StringEquals: '' - NextStep: sleepend Variable: '{{StackName}}' StringEquals: '' - name: signalsuccess action: aws:executeAwsApi isEnd: True inputs: Service: cloudformation Api: SignalResource LogicalResourceId: EntRootCA StackName: '{{StackName}}' Status: SUCCESS UniqueId: '{{entCAInstanceId.InstanceId}}' - name: sleepend action: aws:sleep isEnd: True inputs: Duration: PT1S - name: signalfailure action: aws:executeAwsApi inputs: Service: cloudformation Api: SignalResource LogicalResourceId: EntRootCA StackName: '{{StackName}}' Status: FAILURE UniqueId: '{{entCAInstanceId.InstanceId}}' EntRootCA: Type: AWS::EC2::Instance CreationPolicy: ResourceSignal: Timeout: PT30M Count: 1 Properties: ImageId: !Ref AMI IamInstanceProfile: !Ref InstanceProfile InstanceType: !Ref EntCaServerInstanceType SubnetId: !Ref EntCaServerSubnet Tags: - Key: Name Value: !Ref EntCaServerNetBIOSName - Key: Domain Value: !Ref DomainDNSName - Key: Role Value: Enterprise CA BlockDeviceMappings: - DeviceName: /dev/sda1 Ebs: VolumeSize: 60 VolumeType: gp3 Encrypted: true KmsKeyId: !Ref EbsEncryptionKmsKeyId DeleteOnTermination: true - DeviceName: /dev/xvdf Ebs: VolumeSize: !Ref EntCaDataDriveSizeGiB VolumeType: gp3 Encrypted: true KmsKeyId: !Ref EbsEncryptionKmsKeyId DeleteOnTermination: true SecurityGroupIds: - !Ref CaSG - !Ref DomainMembersSG KeyName: !Ref KeyPairName UserData: Fn::Base64: !Sub - | $Params = @{ AdministratorSecret = '${AdministratorSecret}' DirectoryType = '${DirectoryType}' DomainController1IP = '${DomainController1IP}' DomainController2IP = '${DomainController2IP}' DomainDNSName = '${DomainDNSName}' DomainNetBIOSName = '${DomainNetBIOSName}' EnableAdvancedAudtingandMetrics = '${EnableAdvancedAudtingandMetrics}' EntCaHashAlgorithm = '${EntCaHashAlgorithm}' EntCaKeyLength = '${EntCaKeyLength}' EntCaServerNetBIOSName = '${EntCaServerNetBIOSName}' EntCaValidityPeriodUnits = '${EntCaValidityPeriodUnits}' QSS3BucketName = '${QSS3BucketName}' QSS3BucketRegion = '${QSS3BucketRegion}' QSS3KeyPrefix = '${QSS3KeyPrefix}' S3CRLBucketName = '${S3CRLBucketName}' StackName = '${AWS::StackName}' URLSuffix = '${AWS::URLSuffix}' UseS3ForCRL = '${UseS3ForCRL}' VPCCIDR = '${VPCCIDR}' } Start-SSMAutomationExecution -DocumentName '${AWSQuickstartECA}' -Parameter $Params - QSS3BucketName: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Sub '${QSS3BucketName}'] QSS3BucketRegion: !If [UsingDefaultBucket, !Sub '${AWS::Region}', !Sub '${QSS3BucketRegion}'] CaSG: Type: AWS::EC2::SecurityGroup Metadata: cfn_nag: rules_to_suppress: - id: F1000 reason: "Standard Amazon practice" - id: W27 reason: "Standard Amazon practice" Properties: GroupDescription: Enterprise CA Security Group VpcId: !Ref VPCID SecurityGroupIngress: - IpProtocol: tcp Description: Certificate Enrollment FromPort: 135 ToPort: 135 CidrIp: !Ref VPCCIDR - IpProtocol: tcp Description: RDP FromPort: 3389 ToPort: 3389 SourceSecurityGroupId: !Ref DomainMembersSG - IpProtocol: tcp Description: Random RPC FromPort: 49152 ToPort: 65535 CidrIp: !Ref VPCCIDR Tags: - Key: Name Value: CertificateAuthoritySecurityGroup CaSGCrlHttps: Type: AWS::EC2::SecurityGroupIngress Condition: UsingLocalIisCrl Properties: Description: HTTPS for CRL GroupId: !Ref CaSG IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: !Ref VPCCIDR CaSGCrlHttp: Type: AWS::EC2::SecurityGroupIngress Condition: UsingLocalIisCrl Properties: Description: HTTP for CRL GroupId: !Ref CaSG IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: !Ref VPCCIDR Outputs: EnterpiseCASGID: Value: !Ref CaSG Description: Enterpise CA Security Group ID EntRootCAInstanceId: Value: !Ref EntRootCA Description: EntRootCA instance ID